When it comes to their vendor management program, financial institutions often overlook non IT-vendors -- the cleaning crews and other service providers that can pose a real risk to sensitive information, industry experts said.
Banking regulators require financial institutions to have vendor management programs that ensure customer data is protected. However, many banks focus only on IT vendors, said Ruth Razook, CEO of RLR Management Consulting Inc., a La Quinta, Calif.-based firm that provides IT, strategy and other services to community and independent banks. That leaves out suppliers like janitors and plant maintenance providers whose after-hours and unsupervised access to office facilities makes them a high risk for stealing confidential information left on desks or in trash cans, she said.
Regulators are looking for an enterprise-wide vendor management program that takes into account all types of vendors, Razook said. They stressed the point during a conference panel she recently moderated with representatives from the FDIC and the Office of the Comptroller of the Currency (OCC). "Most banks still concentrate on their IT vendors and it's got to change," she said.
David Schneier, a compliance consultant who works with financial institutions, said an example of unchecked risks with non-IT vendors occurred while he did some late-night risk assessment work for a credit union last year. Sitting in the executive office suite, he heard a sound and peered out the door. To his surprise, a preschooler, followed by his father, was ambling to the restroom.
The next morning, he asked the credit union's CEO about it, who in turn asked the facilities manager. It turned out that the man was the husband of a woman working for the cleaning vendor, and that he and his son regularly brought her dinner to the office. "Think about the scenario: A completely unknown entity, the husband, within a secured area and no one from the credit union had any idea about it," Schneier said.
On further questioning, he learned that the credit union didn't have any assurances that the cleaning crew was properly vetted or any contractual clauses to govern such a situation.
"Now ask yourself how you'd feel if you had money deposited with them and knew there was the potential that your account number or Social Security number was on a form or printed report left out in the open and where any number of unknown entities potentially had access to it," Schneier said.
By overlooking non-IT vendors and not implementing proper security controls, financial institutions run the risk of violating GLBA if the vendor gains unauthorized access to sensitive information, said Susan Orr, a financial-services consultant who spent 14 years as a banking examiner. They also are putting customers at risk for identity theft. Other third parties to consider include accounts payable and HR vendors to ensure corporate and employee information is secure, she added.
While physical theft is the main risk with vendors like cleaning services and security guards, there is the chance that criminals could plant a person with technical skills on a cleaning crew to break into computers and steal data, said Paul Rohmeyer, a consultant and assistant professor at Stevens Institute of Technology in Hoboken, N.J.
The proliferation of small and cheap storage devices also provides criminals with a way to siphon off data if they can access machines, he added.
Financial institutions need to educate users about shutting down and locking systems during off hours and not writing down passwords, but they also need to deploy technical measures such as controls that prevent someone from plugging a flash drive into a PC, he said.
Razook said a good place for banks to start an enterprise-wide vendor management process is with a vendor list from accounts payable. "Do a risk assessment on those vendors and decide who should be incorporated into a vendor management program and who you can exclude but it should be noted that you went through that process," she said.
An exception might be a food service that doesn't have access to the building unsupervised, Razook said. For higher risk vendors, a company may want to verify they're insured or that a confidentiality agreement is in place.
"Banks should go through that process," she said. "The regulators are going to be looking for that."
Orr said a written vendor management program is a regulatory requirement and regulators will be reviewing banks' programs. "Granted, this year there have been credit situations that are occupying examiners' attention, but institutions should not get complacent or lax in thinking that because this year no one looked at it or commented on it that they will get by next year," she said.